UBUNTU-CVE-2025-24374

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-24374

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-24374.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-24374

Upstream

CVE-2025-24374

Published

2025-01-29T16:15:00Z

Modified

2025-09-08T17:08:11Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Ubuntu - low

Summary

[none]

Details

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

References

Affected packages

Ubuntu:Pro:16.04:LTS / twig

Package

Name: twig
Purl: pkg:deb/ubuntu/twig@1.23.1-1ubuntu4+esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.20.0-1

1.23.1-1ubuntu1

1.23.1-1ubuntu4

1.23.1-1ubuntu4+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.23.1-1ubuntu4+esm1",
            "binary_name": "php-twig"
        }
    ],
    "priority_reason": "It's exploited only if an user creates a vulnerable template"
}

Ubuntu:Pro:18.04:LTS / twig

Package

Name: twig
Purl: pkg:deb/ubuntu/twig@2.4.6-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.24.0-2ubuntu1

2.*

2.4.4-2ubuntu1

2.4.6-1

2.4.6-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.4.6-1ubuntu0.1~esm1",
            "binary_name": "php-twig"
        }
    ],
    "priority_reason": "It's exploited only if an user creates a vulnerable template"
}